The key-manahement argument
James Browning
jamesb.fe80 at gmail.com
Mon Jan 21 17:52:19 UTC 2019
On Mon, Jan 21, 2019, 9:20 AM Achim Gratz via devel <devel at ntpsec.org wrote:
> Hal Murray via devel writes:
> >> My thought about how to enable NTS for the pool would involve requiring
> a SRV
> >> record lookup for NTS-KE
> >
> > That SRV lookup could return multiple names. Each would point to a
> separate
> > NTS-KE server.
> >
> > An alternative approach would be to extend the NTS-KE protocol to
> support
> > multiple answers.
>
> No, the client needs to ask multiple times. Otherwise each association
> for that TLS session would get the same S2C and C2S keys and that's a
> no-no.
>
Not seeing a viable exploit ATM. One would need to get a server in the
pool, a ridiculous amount of computer power and/or an exploit against AES
and/or ChaCha as well as acesss to the packet stream of a given host which
puts it out of the range of almost anyone except *no such agency*.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190121/6efb3487/attachment.html>
More information about the devel
mailing list